CVE-2026-44284: FastGPT is an AI Agent building platform. Prior to version 4.14.17, FastGPT had an inconsistent SSRF protection gap in M
mediumvulnerability
security
Summary
FastGPT, a platform for building AI agents, had a security flaw in how it protected against SSRF attacks (server-side request forgery, where an attacker tricks a server into connecting to unauthorized internal systems). While some endpoints blocked internal network URLs, the tool creation endpoints did not, allowing an authenticated user to save a malicious internal URL that could later be used without additional checks when running workflows.
Solution / Mitigation
This issue has been patched in version 4.14.17.
Vulnerability Details
CVSS Score
6.3(medium)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
network
Attack Complexity
low
Privileges Required
low
User Interaction
none
Disclosure Date
May 8, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
LangChain
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-44284
First tracked: May 9, 2026 at 02:12 AM
Classified by LLM (prompt v3) · confidence: 85%